Guys,
I am really sad not seeing any results in these issues if I look for the word: "CSRF".
I read a lot around:
However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.
The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:
When you're using CSRF tokens incorrectly:
...
Adding them to JSON AJAX calls
As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.
If we restrict our endpoint to just use Content-Type: application/json are we safe?
I'll love to have that feature implemented.
Due to inactivity of this issue we have marked it stale. It will be closed if no further activity occurs.
Hey :wave:, It seems like this issue has been inactive for some time. In need for maintaining clear overview of the issues concerning the latest version of graphql-yoga we'll close it.
Feel free to reopen it at any time if you believe we should futher discuss its content. :slightly_smiling_face:
No stale, @stale, please.
Most helpful comment
No stale, @stale, please.